(Another)Website Hacked - php, htaccess, and images modified

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
jhutch769
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Oct 01, 2014 6:25 pm

(Another)Website Hacked - php, htaccess, and images modified

Post by jhutch769 » Sat Feb 03, 2018 2:58 am

I was trying to upload another post with more information, but it got blocked (maybe because I included the domain name, but I spaced it out with the word dot so it shouldn't have showed as a link?). Not sure what I did wrong. Anyway, I am going to try again and just post the FPA log along with a brief description of what's happening. Our site's index.php is being modified to direct to a uploaded .png file in our media/system/images file. The .png has a lot of suspicious code in it. Also, the .htaccess file is continually modified. I delete the png files and re upload the php and htaccess files, but they are modified minutes after. 2 extensions are out of date Akeeba Backup and JCEditor, I have changed the cPanel and FTP passwords. Looking for possible solutions to plug holes so those files are not added and modified back again. They also uploaded a few google verification files and 10 sitemaps. I have deleted everything I could find, but they keep getting changed back. I cannot figure out how to migrate to Joomla 3.x, I have tried and tried in xampp, but I cannot get our template to migrate properly. It was written by another company I can not longer get a hold of.
Problem Description :: Forum Post Assistant (v1.3.9) : 2nd February 2018 wrote:Website Hack, modified index.php, .htaccess, 3 uploaded pngs
Actions Taken To Resolve by Forum Post Assistant (v1.3.9) 2nd February 2018 wrote:Remove php code, redo .htaccess, uploaded backups, deleted added files, attempt to update JCE and Akeeba, changed passwords to cPanel/FTP, deleted google verification token.
Forum Post Assistant (v1.3.9) : 2nd February 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.27-Stable (Ember) 30-September-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | FrontEdit: N/A | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.2.65-2wogr | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 166.07 GiB |

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 256M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.52-cll (Client:5.5.52) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 73.17 MiB | #of Tables:  243
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | ming () | ncurses () | posix () | pspell () | readline () | Reflection (0.1) | standard (5.2.17) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | cgi-fcgi () | ew (0.9) | htscanner (1.0.1-dev) | imap () | ldap () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | soap () | zip (1.8.11) | eAccelerator (0.9.5.3) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 16560049 | Threads: 1 | Questions: 604203586 | Slow queries: 6508 | Opens: 46531242 | Flush tables: 1 | Open tables: 1024 | Queries per second avg: 36.485 |
Extensions Discovered :: wrote:Components :: SITE :: WF_FILESYSTEM_JOOMLA_TITLE (2.6.21) 1 | WF_LINK_SEARCH_TITLE (2.6.21) 1 | WF_POPUPS_WINDOW_TITLE (2.6.21) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.21) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.21) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.21) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.21) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.21) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.21) 1 | WF_SEARCHREPLACE_TITLE (2.6.21) 1 | WF_XHTMLXTRAS_TITLE (2.6.21) 1 | WF_HR_TITLE (2.6.21) 1 | WF_EMOTIONS_TITLE (2.6.21) 1 | WF_TABLE_TITLE (2.6.21) 1 | WF_STYLESELECT_TITLE (2.6.21) 1 | WF_SPELLCHECKER_TITLE (2.6.21) 1 | WF_CLEANUP_TITLE (2.6.21) 1 | WF_PRINT_TITLE (2.6.21) 1 | WF_FONTSELECT_TITLE (2.6.21) 1 | WF_ARTICLE_TITLE (2.6.21) 1 | WF_CHARMAP_TITLE (2.6.21) 1 | WF_ANCHOR_TITLE (2.6.21) 1 | WF_FONTCOLOR_TITLE (2.6.21) 1 | WF_VISUALBLOCKS_TITLE (2.6.21) 1 | WF_CLIPBOARD_TITLE (2.6.21) 1 | WF_PREVIEW_TITLE (2.6.21) 1 | WF_LISTS_TITLE (2.6.21) 1 | WF_CONTEXTMENU_TITLE (2.6.21) 1 | WF_NONBREAKING_TITLE (2.6.21) 1 | WF_IMGMANAGER_TITLE (2.6.21) 1 | WF_VISUALCHARS_TITLE (2.6.21) 1 | WF_FORMATSELECT_TITLE (2.6.21) 1 | WF_STYLE_TITLE (2.6.21) 1 | WF_INLINEPOPUPS_TITLE (2.6.21) 1 | WF_SOURCE_TITLE (2.6.21) 1 | WF_MEDIA_TITLE (2.6.21) 1 | WF_TEXTCASE_TITLE (2.6.21) 1 | WF_FONTSIZESELECT_TITLE (2.6.21) 1 | WF_AUTOSAVE_TITLE (2.6.21) 1 | WF_LAYER_TITLE (2.6.21) 1 | WF_FULLSCREEN_TITLE (2.6.21) 1 | WF_LINK_TITLE (2.6.21) 1 | WF_BROWSER_TITLE (2.6.21) 1 | WF_DIRECTIONALITY_TITLE (2.6.21) 1 | WF_KITCHENSINK_TITLE (2.6.21) 1 | default (1.0.0) 1 | com_wrapper (2.5.0) 1 | com_mailto (2.5.0) 1 |
Components :: ADMIN :: Unknown (-) 1 | JCE (2.4.5) 1 | com_admin (2.5.0) 1 | com_newsfeeds (2.5.0) 1 | com_cache (2.5.0) 1 | com_categories (2.5.0) 1 | com_installer (2.5.0) 1 | com_plugins (2.5.0) 1 | com_search (2.5.0) 1 | com_modules (2.5.0) 1 | com_templates (2.5.0) 1 | com_checkin (2.5.0) 1 | com_joomlaupdate (2.5.0) 1 | com_weblinks (2.5.0) 1 | VirtueMart (1.2.0b) 1 | com_media (2.5.0) 1 | JEvents (3.1.34) 1 | com_banners (2.5.0) 1 | Akeeba (3.4.6) 1 | com_config (2.5.0) 1 | com_cpanel (2.5.0) 1 | com_content (2.5.0) 1 | com_users (2.5.0) 1 | com_messages (2.5.0) 1 | com_login (2.5.0) 1 | com_menus (2.5.0) 1 | com_finder (2.5.0) 1 | com_redirect (2.5.0) 1 | com_languages (2.5.0) 1 |

Modules :: SITE :: JEvents Filter (3.1.34) 1 | mod_articles_latest (2.5.0) 1 | mod_articles_archive (2.5.0) 1 | mod_search (2.5.0) 1 | mod_breadcrumbs (2.5.0) 1 | mod_weblinks (2.5.0) 1 | mod_articles_news (2.5.0) 1 | mod_articles_popular (2.5.0) 1 | Extended Menu (1.2.0 (build ) 1 | mod_random_image (2.5.0) 1 | mod_articles_category (2.5.0) 1 | mod_footer (2.5.0) 1 | mod_languages (2.5.0) 1 | System (1.0.0) 1 | JEvents CustomModule (3.1.34) 1 | mod_articles_categories (2.5.0) 1 | JEvents Calendar (3.1.34) 1 | JEvents View Switcher (3.1.34) 1 | mod_stats (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_whosonline (2.5.0) 1 | mod_login (2.5.0) 1 | JEvents Legend (3.1.34) 1 | mod_finder (2.5.0) 1 | mod_syndicate (2.5.0) 1 | mod_wrapper (2.5.0) 1 | mod_users_latest (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_banners (2.5.0) 1 | System (1.0.0) 1 | JEvents Latest Events (3.1.34) 1 | mod_custom (2.5.0) 1 | mod_related_items (2.5.0) 1 |
Modules :: ADMIN :: mod_logged (2.5.0) 1 | mod_submenu (2.5.0) 1 | mod_quickicon (2.5.0) 1 | mod_popular (2.5.0) 1 | mod_status (2.5.0) 1 | mod_latest (2.5.0) 1 | Akeeba Backup Notification Mod (3.4.3) 1 | mod_title (2.5.0) 1 | mod_multilangstatus (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_login (2.5.0) 1 | mod_toolbar (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_version (2.5.0) 1 | mod_custom (2.5.0) 1 |

Plugins :: SITE :: plg_extension_joomla (2.5.0) 1 | plg_extension_jce (2.6.21) 1 | plg_editors_tinymce (3.5.4.1) 1 | plg_editors_jce (2.6.21) 1 | plg_editors_codemirror (1.0) 1 | plg_search_weblinks (2.5.0) 1 | Search - JEvents (3.1.34) 1 | plg_search_newsfeeds (2.5.0) 1 | plg_search_contacts (2.5.0) 1 | plg_search_categories (2.5.0) 1 | plg_search_content (2.5.0) 1 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_extensionupdate (2.5.0) 1 | plg_quickicon_joomlaupdate (2.5.0) 1 | plg_authentication_joomla (2.5.0) 1 | plg_authentication_gmail (2.5.0) 0 | plg_authentication_ldap (2.5.0) 0 | plg_user_joomla (2.5.0) 1 | plg_user_contactcreator (2.5.0) 0 | plg_user_profile (2.5.0) 0 | plg_editors-xtd_article (2.5.0) 1 | plg_editors-xtd_pagebreak (2.5.0) 1 | plg_editors-xtd_image (2.5.0) 1 | plg_editors-xtd_readmore (2.5.0) 1 | plg_captcha_recaptcha (2.5.0) 0 | plg_installer_jce (2.6.21) 1 | plg_finder_weblinks (2.5.0) 1 | plg_finder_newsfeeds (2.5.0) 1 | plg_finder_contacts (2.5.0) 1 | plg_finder_jevents (3.1.34) 0 | plg_finder_categories (2.5.0) 1 | plg_finder_content (2.5.0) 1 | plg_system_redirect (2.5.0) 1 | plg_system_languagecode (2.5.0) 0 | plg_system_sef (2.5.0) 1 | plg_system_languagefilter (2.5.0) 0 | plg_system_jce (2.6.21) 1 | plg_system_debug (2.5.0) 1 | plg_system_log (2.5.0) 1 | plg_system_cache (2.5.0) 0 | plg_system_remember (2.5.0) 1 | plg_system_p3p (2.5.0) 1 | plg_system_logout (2.5.0) 1 | Akeeba Backup Lazy Scheduling (3.3) 0 | plg_system_highlight (2.5.0) 1 | plg_content_joomla (2.5.0) 1 | plg_content_loadmodule (2.5.0) 1 | plg_content_vote (2.5.0) 1 | plg_content_jce (2.6.21) 1 | JEvents - Core Content Plugin (3.2.0) 1 | plg_content_pagebreak (2.5.0) 1 | plg_content_pagenavigation (2.5.0) 1 | plg_content_emailcloak (2.5.0) 1 | plg_content_finder (2.5.0) 0 | plg_content_geshi (2.5.0) 0 |
Templates Discovered :: wrote:Templates :: SITE :: JA_Purity (1.2.0) 1 | rhuk_milkyway (1.0.2) 1 | Marshall Lanes 2.5 (2.5.0) 1 |
Templates :: ADMIN :: bluestork (2.5.0) 1 | hathor (2.5.0) 1 |

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17316
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: (Another)Website Hacked - php, htaccess, and images modified

Post by toivo » Sat Feb 03, 2018 9:25 am

The cleaning process is described in detail in this sticky post:
viewtopic.php?f=621&t=582854
jhutch769 wrote:I cannot figure out how to migrate to Joomla 3.x, I have tried and tried in xampp, but I cannot get our template to migrate properly. It was written by another company I can not longer get a hold of.
Joomla 2.5 and its extensions are old and therefore vulnerable, for example JEvents (ref. https://vel.joomla.org/resolved/1740-jevents-pre-3-2-20). You should therefore upgrade to a supported version of Joomla.

Suggest you post the requirements and your contact details to the Professional Development Services forum at viewforum.php?f=177
Toivo Talikka, Global Moderator

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: (Another)Website Hacked - php, htaccess, and images modified

Post by fcoulter » Sat Feb 03, 2018 9:53 am

Also your version of Virtuemart is several years out of date. You will need a migration from your version to the latest release which is 3.2.12, it is not a simple task.

I have to say that I agree with toivo on this, your best bet is probably to find a professional who can do this for you. You can also look in the resources directory resource.joomla.org to find professionals who specialise in this kind of work.

If you really want to do this yourself, there are specialist extensions available, JMigrator is good for Virtuemart https://extensions.joomla.org/extension/jmigrator/
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

jhutch769
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Oct 01, 2014 6:25 pm

Re: (Another)Website Hacked - php, htaccess, and images modified

Post by jhutch769 » Sat Feb 03, 2018 3:42 pm

I don't believe we even use virtuemart. Is that an online e-commerce add-on? I believe we initially wanted to sell equipment online and have never used it.

jhutch769
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Oct 01, 2014 6:25 pm

Re: (Another)Website Hacked - php, htaccess, and images modified

Post by jhutch769 » Sat Feb 03, 2018 4:52 pm

I just received a message back from our webhost, this is what they said upon reviewing
We have reviewed your 'mlanesc' account and see a lot of malware and shells there. It is needed to remove all Joomla content and reinstall it from the scratch (preserving current database and using it upon new installation). For example:

File: `...joomla/template/phpgacl.php'
Size: 4530 Blocks: 16 IO Block: 4096 regular file
Device: 805h/2053d Inode: 44040199 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1320/ xxxxxxx) Gid: ( 1311/ xxxxxxxx)
Access: 1969-12-31 16:00:00.000000000 -0800
Modify: 1969-12-31 16:00:00.000000000 -0800
Change: 2017-06-26 20:49:58.000000000 -0700


In order to prevent further security problems we have blocked web access to site via '.htaccess' file. Web access for your IP () is allowed, so you can proceed to work on the website cleaning and Joomla reinstall.
What is the best way to go about that?

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: (Another)Website Hacked - php, htaccess, and images modified

Post by fcoulter » Sat Feb 03, 2018 5:10 pm

I don't believe we even use virtuemart. Is that an online e-commerce add-on? I believe we initially wanted to sell equipment online and have never used it.
Yes it is an e-commerce extension, it is listed among your extensions. It seems like it was probably installed at some point and then not properly uninstalled so that there is still an entry in the extensions table. If you go to extensions->manage->manage and search for virtuemart you may find it listed, if so, select it and use the uninstall option. You will probably get an error message then because it cannot actually find the extension, but hopefully the listing will be deleted anyway.

Clearly the site that you have is severly compromised, it sounds like repairing may not be the best option. It may be better to migrate straight to the latest version of Joomla.

The thing is that the unique parts of your site are your database and images, if you are fortunate these will not be affected. This is why using a migrator such as JMigrator or SPUpgrade is probably a better option. The way that these extensions work is that you construct a new site using the latest versions of the software including Joomla and any extensions that you have, then use the migrator to import your old site database. So you have an up to date and clean site.

Alternatively you could set up a clean version of your current site using a copy of your current database, then migrate to Joomla 3. If you want to do it that way around, these are the instructions for cleaning the site. viewtopic.php?f=714&t=946026. It is probably best to do this on XAMPP, if the hackers are using vulnerabilities in your current software then if you set up a clean version online then it may not be very clean for long.

I recommend that you remove any extensions that you do not absolutely need, it will certainly simplify your task.

You mention that you are having problems with the template you are using, it may be that the template is not compatible with Joomla 3, it would explain why you are having problems. I suggest using a new Joomla 3 compatible, at least for now. If you really like the old one you may be able to find someone who can adapt it for you in time.

I hope that this helps.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

jhutch769
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Oct 01, 2014 6:25 pm

Re: (Another)Website Hacked - php, htaccess, and images modified

Post by jhutch769 » Sat Feb 03, 2018 6:31 pm

Ok, thank you, that helps. We have begun discussing developing a new site. Which is a shame because we like our current look and layout and format and I like using Joomla. Have a friend in IT and he suggested [spam], but I believe that is not affiliated with Joomla at all and it's own separate development. We are also using pSek as our hosting service.


Locked

Return to “Security in Joomla! 2.5”